LDAP and TG

[Tjaart de Beer]

Hi

We have an LDAP server running and want to use it to authenticate poeple
for a TG project. I have scoured the web looking for examples of LDAP
use in TG but only came across two posts which helped me (sort of). The
two scripts, soldapprovider.py and ldapprovider.py are giving me a problem.

If someone could help with the following issues:
1. Which of the two scripts is the best to use?

2. Which files must be altered and what must be put where?
(After a while I realised that you have to put the scripts in TG's
directory
under identity, add it in TG's setup.py and then rebuild it. This was
not said in any documentation. I also have to add a few lines in app.cfg
to give the LDAP host name etc.)

3. What does "turbogears.identity.soprovider.autocreate" do in
soldapprovider.py?

4. It seems, to me at least, that in order to authenticate a user with
LDAP, the user needs to be in the local, TG created database as well.
Only when I add the user there, do I get any type of response from LDAP.

E.g.
user XXX is IN tg_users table in local db. When I try to authenticate,
I get "No such LDAP user: XXX". When the user is NOT in the tg_users
table, I get "No such user: XXX".

This implies to me that the user needs to be on LDAP as well as in a
local tg_users db. Am I correct in this assumption?

Any help will be very much appreciated!! Thanks!

--
Tjaart de Beer
Bioinformatics and Computational Biology Unit
Department Biochemistry
FABI Square/Bioinformatics building
Faculty of Natural Sciences
University of Pretoria
Lynwood rd
Pretoria
South Africa
0001

Tel: +27 12 420 5802
Cell: +27 83 504 7914
Fax: +27 12 420 5800
Email: tja...@tuks.co.za
tde...@gmail.com

---------
The software required "Windows XP or better" ... so I installed Linux

[Adam Jones]

There seems to have been a lot of discussion of LDAP on the mailing
list. You may want to poke through a search on that and see if you can
find anything. Some of the Identity stuff in the documentation and on
the wiki at trac.turbogears.org discusses writing your own provider,
which may help you understand what these ldap implementations are doing.

[Tjaart]

Thanks Adam. We eventually solved the problem by looking at the live
LDAP log while trying to log in. The problem was caused by the filter
setting that was used to connect to the LDAP server. In
soldapprovider.py the filter is set use sAMAccountName. Somehow this
was being passed as a blank filter setting to the LDAP server. This
server was set to authenticate on uid and not sAMAccountName. Simply by
changing that line the script worked.

So for completeness sake here follows our steps:
1. Save the soldapprovider.py file to turbogears/identity/.
2. Edit your TG setup.py and include the following in the section under
[turbogears.identity.provider].
soldap = turbogears.identity.soldapprovider:SoLdapIdentityProvider
3. Rebuild TG.
4. In your project edit app.cfg and add the following:
identity.provider="soldapprovider"
identity.soldapprovider.host = "hostname"
identity.soldapprovider.basedn = "basedn settings seperated by commas"
identity.soldapprovider.autocreate = "True"
5. All the users that want to authenticate through LDAP must have an
entry in tg_user table on your local machine. Do not put in any
passwords in.
6. Run your project.

The part about the user are a bit strange. We thought that the
autocreate settin would populate the database for you, but the again we
didn't go into this. We simply added a user without a password into
tg_user with Catwalk.

Hope this helps other people as well.

Tjaart